PowerProtect Data Manager 19.11 Amazon Web Services Deployment Guide

PDF

Minimum AWS IAM role permissions for deployment

When deploying an AWS-based PowerProtect Data Manager instance, you can use IAM user roles assigned a minimum number of permissions to restrict user access. You can also use an IAM CloudFormation role assigned a minimum number of permissions to restrict CloudFormation access.

IAM user roles and permissions

The following table lists the minimum permissions that are required for the IAM user roles.

Table 1. Minimum permissions of IAM user roles required to deploy PowerProtect Data ManagerMinimum permissions of IAM user roles required to deploy PowerProtect Data Manager
Service	Actions	Resources	Request conditions
EC2	All EC2 actions (*)	All resources	None
SNS	ListTopics GetTopicAttributes	All resources	None
Marketplace	ViewSubscriptions Subscribe Unsubscribe ListBuilds DescribeBuilds	All resources	None
IAM	Write PassRole ListRoles	All resources	None
CloudFormation	All CloudFormation actions (*)	All resources	None

The following JSON code can be used set these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aws-marketplace:ViewSubscriptions",
                "aws-marketplace:Subscribe",
                "aws-marketplace:Unsubscribe",
                "aws-marketplace:ListBuilds",
                "aws-marketplace:DescribeBuilds",
                "iam:ListRoles",
                "iam:ListInstanceProfiles",
                "sns:GetTopicAttributes",
                "sns:ListTopics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
           ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com"
                    ]
                }
            }
        }
]
}

IAM PowerProtect Data Manager and DDVE roles

The following table lists where the PowerProtect Data Manager and DDVE roles are selected from when creating the CloudFormation stack.

Table 2. Selection of IAM PowerProtect Data Manager and DDVE roles during stack creationSelection of IAM PowerProtect Data Manager and DDVE roles during stack creation
Role	CloudFormation template location
PowerProtect Data Manager	CloudFormation > Stacks > Create stack > Configure stack options > PowerProtect Data Manager Instance and Network Configuration > IAM Role (Optional)
DDVE	CloudFormation > Stacks > Create stack > Configure stack options > DDVE Instance Configuration > IAM Role for S3 access

IAM CloudFormation role and permissions

The AWS CloudFormation service deploys the PowerProtect Data Manager and DDVE instances. By default, this service uses the same roles and permissions as the logged-in user. These permissions can be changed by selecting an IAM CloudFormation role.

When you create the CloudFormation stack, the IAM CloudFormation role is selected from CloudFormation > Stacks > Create stack > Configure stack options > Permissions > IAM role name.

The following table lists the minimum permissions that are required for the IAM CloudFormation role.

Table 3. Minimum permissions of IAM CloudFormation role required to deploy PowerProtect Data ManagerMinimum permissions of IAM CloudFormation role required to deploy PowerProtect Data Manager
Service	Actions	Resources	Request conditions
EC2	All EC2 actions (*)	All resources	None
IAM	Write PassRole ListRoles	All resources	IAM:PassedToService (StringLike ecs.amazonaws.com)